Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Cookies not sent after a 302 redirect to a page on the same domain

Tags:

redirect

http

servlets

I'm very confused by this.. My web application uses Spring Security which relies upon a JSESSIONID cookie to maintain a users session.

One of my pages does a 302 redirect to another page on the same domain, still http, not switching to https or anything fancy. For some reason the browser (Chrome in this case) does not pass the cookie with the second request and the user looses his session.

Is this the expected http behavior? I'm probably missing something..

Just to be clear, the cookie is already set before the redirect, I'm not setting the cookie in the same response as the redirect.

like image 408
Kimble Avatar asked Sep 27 '13 09:09

Kimble

People also ask

Can 302 redirect set cookie?

According to this blog post: http://blog.dubbelboer.com/2012/11/25/302-cookie.html all major browsers, IE (6, 7, 8, 9, 10), FF (17), Safari (6.0. 2), Opera (12.11) both on Windows and Mac, set cookies on redirects. This is true for both 301 and 302 redirects.

Does a 302 automatically redirect?

What is an HTTP 302? The 302 status code is a redirection message that occurs when a resource or page you're attempting to load has been temporarily moved to a different location. It's usually caused by the web server and doesn't impact the user experience, as the redirect happens automatically.

How does a 302 redirect work?

A 302 redirect does not pass the “juice,” or keep your domain authority to its new location. It simply redirects the user to the new location for you so they don't view a broken link, a 404 not found page, or an error page.

How do I permanently redirect a URL?

To redirect a site permanently, one should use a 301 redirect. This type of redirect is best for SEO purposes and also informs the search engines that the site has moved permanently. If you change your domain name and want to point to a different URL, a 301 redirect is your best choice.

3 Answers

It could be a bug in Chrome. See Chromium bug #696204. In my case the workaround was changing SameSite=Strict to Lax.

like image 110
Václav Dajbych Avatar answered Oct 16 '22 00:10

Václav Dajbych

302 doesn't delete any cookie, so I think you are changing the host/port or the server expires the cookie. Look at this 3 requests (before 302, 302, after 302) and search something related to Set-Cookie header with a expires value.

It could be you have a problem with the cookie path, if you set the cookie path to a something different to '/', it will be not accessible to all paths.

like image 25
TlmaK0 Avatar answered Oct 15 '22 23:10

TlmaK0

Answering my own question. Turns out that one has to use a 303 (see other) response when redirecting from a post request.

From RFC 2616

10.3.4 303 See Other

The response to the request can be found under a different URI and SHOULD be retrieved using a GET method on that resource. This method exists primarily to allow the output of a POST-activated script to redirect the user agent to a selected resource. The new URI is not a substitute reference for the originally requested resource. The 303 response MUST NOT be cached, but the response to the second (redirected) request might be cacheable.

like image 20
Kimble Avatar answered Oct 16 '22 00:10

Kimble
Sign in to Comment

Related questions

The reason for a mandatory 'Host' clause in HTTP 1.1 GET
Using a web-proxy service to get the html content of the target url?
How can you upload files as a stream in go?
What HTTP response code to use for failed POST request?
Go http client timeout vs context timeout
Sending info with a HTTP redirect that the browser should send to the redirected location?
Is it acceptable to modify the text sent with the HTTP status code?
Is there any simple http response parser for Java?
Good low level http library for .Net [closed]
PUT POST being idempotent (REST)
Promise vs Observable for Http in Angular2? [duplicate]
How to Use Postman to Authenticate to Django REST Framework
How can I emulate PUT/DELETE for Rails and GWT?
Are there any viable alternatives to "classic" cookie authentication?
Best practice for handling HTTP HEAD request with Django on App Engine
How to anonymously identify a user and store that information
Android httpclient file upload data corruption and timeout issues
Is it valid to list multiple fields in a single Vary header?
Is it possible to receive out-of-order responses with HTTP?
Proper way to include data with an HTTP PATCH request

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!